Slashdot Mirror

We have a code of ethics... the ACM writes them. I suppose it isn't really mandatory that we belong and therefor adhere to them, but I was taught to fall back on them for ethical issues.

http://www.acm.org/about/code-of-ethics

The code is pretty much common sense. If you want a funny and kinda sad read, find the real estate code of ethics. They have to outline every evil, dirty little trick ever pulled and explicitly say not to do it.

So now the guy that couldn't figure out himself why his connection underperformed is going to tell me what "real network engineers" think ?

Great. If you think I'm going to argue this insanity, you're delusional.

And btw, it's low-quality ISPs that agree throwing away 40% of your bandwidth is a solution. GOOD ISPs will throw away 60% at least, sometimes more. (because if you want redundant paths to function you need to "throw away" at least 50% because the link might need to carry both it's own load and the traffic from it's redundant path, so a good isp doesn't just throw away 50%+ of link bandwidth, they throw it away TWICE)

e.g. http://portal.acm.org/citation.cfm?id=1159925

Idiot

Easy to use graphics tablets have been around since as early as 1969. The only reason mice are the standard is that they are cheap.

It doesn't work like that.

Sooner or later, if DRM hardware is 'everywhere', then a big corporation can simply make it mandatory for some file format or protocol... for... ahem... 'security'.

This will instantly lock out any possibility of an open source implementation of such a protocol, as most DRM schemes require code signed by a trusted central authority, which is a concept in diametric opposition to the 'open' part of the whole concept of open source.

Without open source, competition will be reduced, prices will go up, and your options as a customer will be restricted.

There are other abuses possible also, most of which you may never see coming until it is too late.

For example, if Microsoft can convince the idiots running most big bureaucracies that their network isn't safe from hackers unless there's an end-to-end DRM on everything, then this will effectively lock out their smaller competitiors from having any hope of even physically talking to any other machine on such a network. It probably won't do anything to increase safety from hackers, but it will certainly make Microsoft safe from their competition! This of course will increase costs for bureaucracies, which come out of your taxes.

You think I'm joking? Microsoft already tried this, it's called Active Directory Rights Management Services Role. Sounds innocent, right? It's horrifying! It's pure evil, the ultimate lock-in: using military grade cryptography to ensure that their customers stay locked in forever, and cannot possibly get their own data out of the walled garden of Microsoft software. They even tried to change low-level network protocols to prevent their competitors from competing on the 'corporate network' with their offerings by implementing open protocols: Network Access Protection. If you don't know what NAP is, it's a system that does nothing a firewall couldn't, except that to gain access, you must have a DRM-enabled computer running an OS kernel that's digitally signed by... a trusted authority.

Microsoft is pushing hard to have this technology become mandatory in some scenarios, like health data. Can you imagine if you couldn't obtain your own health records if you had one of those filthy 'untrusted' Linux computers? It's a very real possibility, and Microsoft wants it, bad.

I'm not making this up, check it out: Using Digital Rights Management for Securing Data in a Medical Research Environment.

To put it another way: This is not a feature Intel is including for free, out of the goodness of their hearts, just in case you want it. It's about increasing profits of the biggest corporations not just at your expense, but at the cost of your rights and freedoms. How does this not upset you?

as far as i'm aware, there is no organization granting or requires one to have a license in order to be a practitioner of software development. for instance, the medical field requires that practitioners hold a specific license and in addition, requires that said practitioner also seek continuous development throughout ones career in order to maintain a valid license. in this sense, software engineering is an immature field. The ACM organization does however publish a Software Engineering Code of Ethics that I was asked to agree to upon graduating from my institution and being granted a degree. This of course, is not at all enforced in practice as employers do not request a legal document stating that I've agreed to that code. http://www.acm.org/about/se-code

Jagatic and others saw this in 2007 in their work on social phishing at Indiana University.

We saw the same in our PhishGuru work at Carnegie Mellon, on training people not to fall for phishing scams in 2009.

As an aside, I know many slashdotters don't believe you can train people to protect themselves from phishing. That is the standard conventional wisdom in computer security. However, we've actually demonstrated that you can, if you make it fun, timely, and relevant. We're commercializing some micro games for security training and a service for simulated phishing attacks based on research we did at Carnegie Mellon.

Very few studies of software as it is and as it runs.

Try http://www.research.ibm.com/people/n/nickmitchell/publications/lcsd2005.pdf to a paper called "Diary of a Datum" and http://portal.acm.org/citation.cfm?id=1297046 to another paper called "The causes of bloat, the limits of health". Both describe studies of large running applications in situ.

Full disclosure - I work for IBM Research and these papers were by folks in my department.

You can't win this fight without OS involvement.

Very true. This is why the DoD wrote Trusted Computer System Evaluation Criteria level B1.

The correct solution is application-level sandboxing, which quite a few people are working on.

Apparently the procurement process selected vendors in 1987 http://delivery.acm.org/10.1145/200000/190750/p6-huber.pdf?key1=190750&key2=9264601921&coll=DL&dl=ACM&CFID=116472169&CFTOKEN=18806783. Bonus: the only product which completed the joint DIA/NSA evaluation process was running an Apple operating system with Unix roots (and not named "OS/X").

they're forced to do so because they reach the limits of a single core

Well yes, but you might as well have argued that nobody wanted to make faster cores but they're limited by current clock speeds... The fact is that you can no longer make cores faster and bigger, you have to go parallel. Even the intel researcher in the article is saying the shared memory concept needs to be abandoned to scale up.
Essentially there are two approaches to the problem of performance now. Both use parallelism. The first (Nehalem's) is to have a 'powerful' superscalar core with lots of branch prediction and out-of-order logic to run instructions from the same process in parallel. It results in a few, high performance cores that won't scale horizontally (memory bottleneck)
The second is to have explicit hardware-supported parallelism with many many simple RISC or MISC cores on an on-chip network. It's simply false to say that small message passing cores have failed. I've already given examples of ones currently on the market (Clearspeed, Picochip, XMOS, and Icera to an extent). It's a model that has been shown time and time again to be extremely scalable, in fact it was done with the Transputer in the late 80s/early 90s. The only reason it's taking off now is because it's the only way forward as we hit the power wall, and shared memory/superscalar can't scale as fast to compete. The reason things like the Transputer didn't take off in mainstream (i.e. desktop) applications is because they were completely steamrolled by what x86 had to offer: an economy of scale, the option to "keep programming like you've always done", and most importantly backwards compatability. In fact they did rather well in i/o control for things such as robotics, and XMOS continues to do well in that space.
The "coherency problem" isn't even part of a message passing architecture because the state is distributed amongst the parallel processes. You just don't program a massively parallel architecture in the same way as a shared memory one.

> A Computer science professor called Ken Perlin

Understatement of the year -- this guy _invented_ Perlin noise.

Agreed. There were two papers published in SIGGRAPH 1985 that really introduced "Solid texturing" to the computer graphics community. One of those was Perlin's An Image Synthesizer which has since formed the basis for numerous procedural texturing systems, especially those in ray tracing systems.

The correct url to the interview is: http://queue.acm.org/detail.cfm?id=1883592 not http://queuedev.acm.org/detail.cfm?id=1883592

The correct url to the interview is: http://queue.acm.org/detail.cfm?id=1883592 not http://queuedev.acm.org/detail.cfm?id=1883592

IBM had been generating test programs, in order to tests its processors, way before 1995 - there was a paper about it, which I'd have to look up. It used a model of the CPU, request language and other testing knowledge - including a reference model (an automaton approximating the behavior of the CPU).

Here is a reference to one of the papers (1995)

here is another (1991)

Since I have not read the patent, I have no idea if this applies.

IBM had been generating test programs, in order to tests its processors, way before 1995 - there was a paper about it, which I'd have to look up. It used a model of the CPU, request language and other testing knowledge - including a reference model (an automaton approximating the behavior of the CPU).

Here is a reference to one of the papers (1995)

here is another (1991)

Since I have not read the patent, I have no idea if this applies.

Memory fragmentation will not directly cause a program to slow down.

Simple models of memory don't work well when applied to real computers.

My poor rhetorics regardless, the OP is wrong - there is neither a need for Linux to know that a file copy need be done in background (no need does not mean a user can't hint the system about his preference), nor should the users be dependent on 'ionice' to have responsive systems - Windows gets it right ENOUGH without user intervention.

Same goes for CONFIG_HZ - I think we all know deep down inside that nobody is going to bother resetting variables to fix the symptoms of a problem lying somewhere else entirely. Also, Transmission was just an example - I am sure its program is fairly straightforward, certainly straightforward enough to not make it a culprit - a 'dd if=/dev/sda of=/dev/sdb' will starve the system in much the same manner.

I did not make up the studies, in case you are ironic about them telling you what you want:
http://portal.acm.org/citation.cfm?id=339420
http://www.sapdesignguild.org/community/design/perc_perf.asp
and of course the closely related term http://en.wikipedia.org/wiki/Perceived_performance

I'll admit it's not like googling Angelina Jolie but the information is out there

Corrected link...

For what it's worth, Vint Cerf was instrumental in ensuring that the putative IPv6 fix would fail massively.

It's not that I don't believe you, but I would like a little more information than a simple bald assertion by a random Slashdot poster.

Ask and you shall receive. Vint Cerf held the post of "Internet Architect" from 1989 to 1992 during which time IPv6, then called IPNG was designed. Vint described himself personally to me as "chairman of the committee" which I accepted at face value, although the documentary evidence does not support that. Nonetheless, wearing his various hats including chairman of ICANN and chairman of ISOC, he played more than a cameo role in the evolution of IPv6.

Incidentally, when I asked him if more could have been done by the designers of IPv6 to ease the transition from IPv4 to IPv6 he got red in the face and spat out in a most unseemly way "certainly not". I was quite taken aback at that response to my simple, fair and on the face of it, topical question. I did not further converse with him, and have not done so since.

This story is old/a dupe. This was announced quite a while back. I can't find a lot of the old info thanks to this recent story but here's one from last year and I'm sure there are some from a couple years ago..

http://portal.acm.org/citation.cfm?id=1655066&dl=GUIDE&coll=GUIDE&CFID=108009773&CFTOKEN=58257172

You're right. Not many people know that he is actually a recipient of the Grace Murray Hopper Award, which is usually considered the younger cousin of the Turing Award.
http://awards.acm.org/citation.cfm?id=9380313&srt=all&aw=145&ao=GMHOPPER&yr=1990

Bill Buxton isn't just some random Microsoft employee, he's one of the pioneers of the industry, and has been working with multi-touch systems since back in the early eighties.

Contrary to popular belief Apple didn't invent multi-touch

Multi-touch technologies have a long history. To put it in perspective, my group at the University of Toronto was working on multi-touchin 1984 (Lee, Buxton & Smith, 1985), the same year that the first Macintosh computer was released, and we were not the first. Furthermore, during the development of the iPhone, Apple was very much aware of the history of multi-touch, dating at least back to 1982, and the use of the pinch gesture, dating back to 1983. This is clearly demonstrated by the bibliography of the PhD thesis of Wayne Westerman, co-founder of FingerWorks, a company that Apple acquired early in 2005, and now an Apple employee:

Westerman, Wayne (1999). Hand Tracking,Finger Identification, and Chordic Manipulation on a Multi-Touch Surface. U of Delaware PhD Dissertation: http://www.ee.udel.edu/~westerma/main.pdf

In making this statement about their awareness of past work, I am not criticizing Westerman, the iPhone, or Apple. It is simply good practice and good scholarship to know the literature and do one's homework when embarking on a new product. What I am pointing out, however, is that "new" technologies - like multi-touch - do not grow out of a vacuum. While marketing tends to like the "great invention" story, real innovation rarely works that way. In short, the evolution of multi-touch is a text-book example of what I call "the long-nose of innovation."

Microsoft borrowing ideas from Apple again?

It's probably the other way round. Nice troll though.

The internet is already secure enough for me, when using SSH to a trusted host.

Fixed parent's post for him.

I like the approach to personal security suggested in this article that was posted on Slashdot a while back. The basic gist is that the amount of effort we put into preventing an attack should be less than the probability of a successful attack occurring times the expected loss from a successful attack.

Now, I didn't RTFA, but I assume the types of attacks that the NSA director is referring to are more severe than loss of credit card theft and loss of personal data. Things like taking down our air traffic control systems or power grid. For those sorts of systems - yes I think we would want to invest the same level of effort into keeping those systems secure as we do keeping, say, our nuclear reactors secure.

It sounds like you want to create a "media space". This idea has been floating around since around the 1980's at Xerox PARC. See http://portal.acm.org/citation.cfm?doid=151233.151235 for more details. While this work is quite old, they may have good ideas on how to best integrate persistent video conferencing into a shared/public space. See also: http://www.springerlink.com/content/l17xvjr522l16v62/. Sadly, both links are pay sites, but if you are studying at a university you may have access.

Where the resolution gets divided by the number of views displayed simultaneously. If you could make display with 1000 dpi resolution, you could turn it into an autostereoscopic display with horizontal parallax displaying 10 images at 100 dpi. I imagine a 10000 dpi screen would let you create something indistinguishable from a hologram with no glasses required to view it...

http://en.wikipedia.org/wiki/Autostereoscopy

http://portal.acm.org/citation.cfm?id=1320857

No, actually, it won't. Read this: http://queue.acm.org/detail.cfm?id=1773943

FTFA:
http://www.acm.org/uist/uist2010/Student_Contest.html
The current requirements for running the keyboard are below:
1. A computer running Windows Vista or Windows 7. 32-bit only.

So you're required to be nerdy enough to want to enter this this contest and create a demo of your idea, but noob enough to still be running 32-bit? Half of Windows 7 PCs run the 64-bit version

"To reserve a place in the contest and to receive an Adaptive keyboard for development, contestants must submit an entry email to the contest chair no later than August 17th, 2010."

Not much notice /.!

The goal of the contest is to develop new interactions on unique hardware that you cannot get anywhere else. We supply you with the special hardware and you show us how innovative you can be with it. ... To reserve a place in the contest and to receive an Adaptive keyboard for development, contestants must submit an entry email to the contest chair no later than August 17th, 2010.

You also have to return the keyboard by October, so it's not yours forever. http://www.acm.org/uist/uist2010/Student_Contest.html

You might find this interesting.

"Deolalikar's result is that "P (does not equal) NP (intersect) co-NP for Infinite Time Turing Machines". This is a special context - infinite time Turing machines are not the same thing as standard Turing machines, but are a kind of hypercomputer. Dcoetzee 09:07, 8 August 2010 (UTC)"

From http://en.wikipedia.org/wiki/Talk:P_versus_NP_problem#Potential_Solution

That was a different paper, published in 2005:

http://portal.acm.org/citation.cfm?id=1185240

No one is expecting management to come in and fight the fire at 2 AM. What is expected of management however is for them to understand what is happening within their organization (and not at the bit's and bytes level) because they are directly responsible for the actual organization. What management should be able to do is to be able to bring in another competent person to fix the fire at 11 AM because you were killed on the highway while you were driving into the office at 2. And that competent person should be able to get a start fixing that problem because management was able to give them the proper "keys" and there is proper documentation for them to get a gist of the layout of the system.

Yes -- you are a sysop, and not management. You are an employee hired to perform what management wants. If management screws up and something happens to the organization, they can be legally held responsible -- think Sorbanes Oxley, if you are following their orders then you are off the hook (one of the reasons why executives are paid the salaries that they are). If you go off and do something on your own without their approval, or try to hide things from them under the guise of "I know what's right for the business", and something happens it will be your butt on the line.

Say that you worked in a finance group responsible for transferring company assets into different external funds that are dictated by upper management, and you thought "hey upper management doesn't understand what they are doing and they don't listen to me, I'm going to go out and transfer some of the companies money into some the funds that I think are doing well, and I know it can make a huge return of investment for the company". How far do you think your arguments would float?

One of the things is that sysops and admins need to stop "hiding" the incompetencies of management by "by going behind management and doing the right thing". If you really believe that the organization is going to fail because of management decisions, document what those decisions are, document how you believe that they are harming the organization and report it to the organization's internal auditing or business controls folks.

The code of ethics for the ACM includes the following http://www.acm.org/about/code-of-ethics

• 1.2 Avoid harm to others - which includes whistle blowing if you believe that superiors are not acting to mitigate a problem that could harm others, but it also means that you've done all the homework as well and taking responsibility of your actions.
• 2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.
• 2.6 Honor contracts, agreements, and assigned responsibilities.
• 2.8 Access computing and communication resources only when authorized to do so.

All in all I believe that if you really read full list of the ethics of these types of organizations you will find that if you are doing your job well, properly documenting any issues, validating problems, and responsibly reporting them, incompetency will not have a leg to stand on.

Indeed.

Although the rules aren't 'illusory, unwritten set of rules of decorum or behaviour'.

The IT industry, like many other industries, has actual codes of conduct that administrator and professional should agree with. People should have been taught these rules in school, and they should also be roughly close to company policy for that.

The ACM has one, as do other organizations.

There are real codes of ethics that computer professionals need to follow. There isn't any professional organization like, for example, in medicine or law, so you can't be 'kicked out' of the industry, but there is still a default level of rules that people should follow on top of whatever their workplace says. (And, of course, their workplace should have those rules stated again.)

And none of that has a damn thing to do with the law, and none of that is a reason for anyone to spend any time in jail.

You can keep your clocks accurate with something that isn't inherently unstable and complex, like RADclock. Or for leaf nodes, you can stay with the same basic protocol but jettison a lot of the complexity by switching to SNTP.

fyi, http://queue.acm.org/detail.cfm?id=1814327 He'll admit his error in designing the CS classic Btree algorithm. The error was uncovered by the author of 'Varnish' caching software. Dietrich

It sounds like you have two vertical markets to look at for publishing:

• ACM - Association for Computing Machinery, is the major computer science organization, http://www.acm.org/ They would be interested in the algorithm and its impact
• The Geological Society of America, http://www.geosociety.org/ or similar in your host country.

Both of these organizations publish several different journals and you'd need to submit to the right one. You'll want to email or telephone someone on the inside to get a better idea of where your topic might fit, usually an editor, or the like. Keep in mind it would actually be two different papers as one would focus on the computer science aspects of what you did and the other would be more geoscience focused on the utility of the algorithm within the field, etc.

Pay a visit to the library of a nearby university with a CS department (sometimes the departments have their own libraries) and look at the computer science related journals they have (a list of ACM associated journals can be found at http://www.acm.org/publications/panel/journals). Most of what I know about writing papers comes from reading them. The first thing you'll want to do is a literature search on related algorithms, and dig up some of those papers. Read through a bunch of them to see how they're organized, the types of subject material covered (to help you decide which journal to submit to) and the Information for Authors section. The Info for Authors section will tell you everything you need to know about formatting and submitting to that particular journal.

One of the staff librarians can probably help you find material to help you learn about the mechanics of paper writing.

The process from submission to publication (assuming your paper is accepted) will likely take several months to a year and involve one or more revisions.

As a failing peculiar to animate visual systems, visual illusions might be used to distinguish humans from "computer bots" ... This approach inverts, and complements, the logic of the Turing test: not requiring evidence of an intelligent capacity equivalent to that of human beings, but rather that of a characteristic human failing.

By the late 1980s Byte had become too focused on PC hardware instead of the more general concepts of computing. (My favorite example was when they gave the Amiga 1000 a negative review because it didn't have an AUTOEXEC.BAT). Likewise, Compute! became so hyperfocused on specific Commodore and Atari hardware, they would publish three or four nearly identical listings (C64,Vic,Atari400, Atari 800) instead of one program with the hardware specific stuff in separate subroutines. Even their checksum listings eventually got to the point where the reader was nothing but a human barcode reader who wasn't meant to understand what he was typing into his computer.
IMHO "Creative Computing" was a far better magazine than either. It remained a true computer science magazine until the very end, focusing on algorithms rather than the hardware platform-du-jour. For that reason, some Creative Computing articles are timeless. The only thing similar today would be ACM journals, but Creative Computing hit a sweet spot in the understandability vs depth curve that ACM journals rarely reach.

The machine was rather difficult to operate. For years, radios had been operated by means of pressing buttons and turning dials; then, as the technology became more sophisticated, the controls were made touch sensitive ... now all you had to do was wave your hand in the general direction of the components and hope. It saved a lot of muscular expenditure of course, but meant you had to stay infuriatingly still if you wanted to keep listening to the same programme.

D. Adams, The hitch-hikers guide to the galaxy. Ch. 12.

BTW, a envisionment of natal in 1993, with datagloves: Charade, remote control of objects using free hand gestures published in Communications of the ACM. (Here for ps version)

This reminds me of the infighting at the Association for Computing Machinery back in the 1980's. Up until then it was very relevant to programmers' interests; but then a group of people who were more focused on social issues took over and diverted much of the budget and journal space to their own agenda. Membership plummeted and the ACM never really recovered the status it had in the 60's and 70's.

Fmri is still king of brain scanning.

While fMRI is currently the dominant technique for scanning brain activity, it wouldn't be used for "uploading your brain". In order to preserve the information in your brain we really need the network diagram. Currently there a few groups in the world automating the process of cutting and scanning neural tissue with electron microscopy: Dr. Winfried Denk - serial block-face scanning electron microscopy and Dr. Clay Reid, to name two. Currently, they can only scan a 1mm^3 piece of brain. But it's really at this point just an engineering problem to do the whole brain.

An important issue that few people discuss is that even if you had a full network diagram of your brain and the hard disks to store it on (It's estimated that humans have on the order of 10^16 neural connections. If we say that we just need one byte per connection we would still need 10 petabytes per brain. And this is a reduced representation. During the actual scan we would need far more storage to trace all the physical connections) you would need some very impressive hardware to RUN your consciousness. Some have estimated that all of the CPUs currently connected to the internet have about the processing power of a single human brain. So, unless you are fabulously wealthy, you won't be able to pay for the hardware and electric bill of running your immortal consciousness.

In the graduate program in Information Technology that I work with, we recently revamped the degree to make coding mandatory. Incoming grad students must pass a programming placement exam or complete an intermediate level (not beginning!) software development class, currently in Java or C++. We found we had a lot of students moving to IT with undergraduate degrees in electrical engineering who had seriously deficient coding skills so they were not able to make an adequate contribution in system and network security and voice over IP course projects.

We've always had a fairly robust coding and scripting requirement for our undergrads, who have to do introductory and intermediate Java, introductory C++, UNIX/Linux shell scripting in BASH or Perl, and Javascript. In the undergraduate program we cover all of the core elements of the Information Technology profession as defined by the Association for Computing Machinery (ACM) and the IEEE Computer Society:
IT Fundamentals
Programming
Human Computer Interaction
Databases
Networking
Websystems
Information Assurance and Security
Professionalism

I'm pretty sure I remember coming across a news piece that said exactly this a good 10-20 years ago..

Yep, it's old news. Here's an article from 2004, about some research done in the UK: http://www.useit.com/alertbox/20040412.html

Here's the summary of the paper at ACM.org: http://portal.acm.org/citation.cfm?id=993187

You can find also find the PDF.

You state:
"Robert Morris, creator of the first internet worm!"

You are obviously unaware of The “worm” programs—early experience with a distributed computation

I hope this helps your reference callouts.

Yours In Akademgorodok,
Kilgore Trout, C.I.O.

You aren't telling me anything I didn't know. I read analogy considered harmful as an undergrad.

You can't stick a filing cabinet inside a filing cabinet, or a folder inside a folder (unless it's a different, bigger, kind of folder) - that's just one way it breaks down. That was before the advent of the internet; you don't really know (or need to know) where files are these days.

I didn't "quit"[*] because I was afraid my data was being leaked to my phone. I "quit" because it was being leaked across the whole goddamn Internet. This move is beyond worthless, and shows just how Zuck doesn't get it.

  [*] No one really quits. They just "deactivate," while facebook keeps all your data. Remember when Facebook said that users owned their own data, yet never provided a way to completely delete it, nor export it? Talk is cheap. Platitudes even cheaper. Code is law.

Just because something can be misused is not a valid reason for removal. Gotos are useful at times and can make code easier to read.

http://portal.acm.org/citation.cfm?id=1241524

If anyone with ACM digital libray access wants the DOI link to the original article, rather than the edited version Sun/Oracle's site it's http://doi.acm.org/10.1145/103162.103163.

It is an old article though, so it's a 44 page scanned PDF.

For those interested, there are two related research papers available by Conti and Sobiesk. The first Malicious Interface Design: Exploiting the User was just published this week at the 2010 WWW Conference. The other is from IEEE Security and Privacy Magazine, Malicious Interfaces and Personalization's Uninviting Future. (PDF)

And at most junior colleges, there are posers on the engineering staff and IT departments manning the labs that actively hunt down students that aren't toeing the Microsoft line. They come down on those students softly at first increasingly hard until the student knuckles under or quits. Often it's just simple bullshit that is enough, such as putting it off indefinitely with kindly sounding blow-off phrases: "sure, we'll look at linux later, if there is time", ensuring that there never is time. Or other bullshit like "start with Windows and when you have proved yourself, you can try other systems", or still more shit like "why, yes, we teach both Windows and Linux" while actually cutting out all non-MS systems and languages except for leaving a handful of electives with NO hands-on lab work. They also find all kinds of ways to break any non-MS packages that the faculty forced them to install. "Oops, sorry, that last upgrade must have erased it. We'll get right on that next month."

Some places even relegate all non-MS technologies to a tiny handful of elective course, only available in the final year, which the student might not even have time for even if the interest and motivation have not been rubbed out.

The problem is not a joke. It's not just kernel developers we are not producing, but programmers, system administrators and software engineers. There are almost no new people coming into the workforce with even a basic knowledge of correct design or methods. Even the big names are noticing this, but they're isolated far enough at the top that they miss sight of the fundamental staffing problems that have allowed Microsoft products anywhere near campus.

This is not true. How useable would Facebook be without requiring a password to log in? Yes it would be easier to get in, but you would lose any trust in the application as anyone could be posting as anyone else. A system should be as secure as the data you are trying to protect within it.

See the following:

• Schneier's article
• Another Schneier reference
• Abstract to Security and Usability by Craner and Garfinkel (what a humorous name)

Balancing usability and security is one of the toughest parts of designing a secure system; anyone that's had to even remotely consider security as a factor knows this. It still holds, however, that usability always suffers as security improves.

Facebook is a great example. Their authentication scheme was originally only passwords. However, they've had problems thwarting bots and other security problems over the years, so now they added CAPTCHAs depending on use. This wasn't too much of a problem (though I'd argue that usability was mitigated in favor of security, even if only slightly)...until Facebook Chat got popular. (Remember when people protested it up and down?) Porting Facebook Chat to anything was possible but difficult, largely due to these new authentication rules. Getting kicked out every couple of hours was the norm while using the Facebook protocols available at the time. It wasn't until they moved it over to Jabber that IMing on Facebook using external clients got easy.

Twitter's ongoing security issues are another great example of this. It's dead easy to use and I'll venture that the API is pretty easy to work with, since there are umpteen Twitter clients out there for every platform there is. However, Twitter made it on the front page here tons of times due to security breaches and the like. It's still used as an easy score for bots.

but most of the time getting a true single sign on requires you replicate password changes to systems that cannot change their authentication source and then you end up with the weakest link (say a messaging client that stores the password as an md5 hash) having the key to accessing your most guarded systems (i.e. payroll systems).

This is true, but there are a few caveats to that:

1. Weak links are non-unique and non-inherent. There are still corporations out there that use applications that accept passwords as plain text. All it takes for a steadfast employee (or outsider, for that matter) to get someone else's password is for them to run a packet sniffer. Wouldn't it be better for a designer to approach the weakest link problem by strengthening the weakest link instead of trying to eliminate it outright?
2. The answer is a budgeting problem. I never said that such a conversion would be easy or even cheap. The cost of replacing software that use weaker authentication/security paradigms for those that conform to the SSO model is probably always non-trivial, but if it provides more overall security than the status quo with minimal impacts to usability, then isn't it still a win?

I don't think single sign-on is a flawed idea; at worst, I believe it's incomplete. In an ideal world, all software would support the most common authentication scenarios available (password, passphrase, card token and smart card). It would be extremely convenient for people to use one key for all of the important systems they interact with on a daily basis, as that would mean there's less for the person to lose and/or remember. However, idealism is hardly representative of reality. Perhaps a hybrid model where smart cards/work IDs are used for Windows authentication and RSA tokens are used for other systems would be a more realistic proposition...

And how does this situation differ other than the fact that the alloc/free operations are done local to the JVM instead of making system calls? The fact that the JVM is doing the work doesn't magically make memory management easier.

The other thing that I'm skeptical about is that the article seems to be contradicted by a more recent paper by the author that they are referencing (see Zorn http://portal.acm.org/citation.cfm?id=582419.582421). In the newer paper, Zorn et al. say that custom allocators are less efficient than a modern general purpose allocator.